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ABSTRACT 

In this paper, we consider an extended concept of invariant 
for polynomial dynamical system (PDS) with domain and 
initial condition, and establish a sound and complete cri- 
terion for checking semi-algebraic invariants (SAI) for such 
PDSs. The main idea is encoding relevant dynamical prop- 
erties as conditions on the high order Lie derivatives of poly- 
nomials occurring in the SAI. A direct consequence of this 
criterion is a relatively complete method of SAI generation 
based on template assumption and semi-algebraic constraint 
solving. Relative completeness means if there is an SAI in 
the form of a predefined template, then our method can in- 
deed find one using this template. 
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1. INTRODUCTION 

Hybrid systems are those systems involving both continuous 
evolutions and discrete transitions. How to design correct 
(desired) hybrid systems is a grand challenge in computer 
science and control theory. From a computer scientist's 
point of view, the main concern on hybrid systems up to 
now is to verify so-called safety properties. A safety prop- 
erty claims that some unsafe state is never reachable from 
any initial state along with any trajectory of the system. 

1.1 Motivation 

Directly computing the reachable set is a natural way to ad- 
dress this issue. As we know, there are two well-developed 
techniques for computing reachable set so far, that is, tech- 
niques based on model-checking [22] and the decision pro- 
cedure of Tarski algebra [28], respectively. However, the 
former technique requires the decidability and therefore can 
only be applied to some simple hybrid systems, e.g. timed 
automata [T], multirate automata [2], rectangular automata 
[211 [12] , and so on. Comparably speaking, the latter tech- 
nique has a wider scope of applications. For example, in 



[14| how to compute reachable sets for three classes of spe- 
cial linear hybrid systems are investigated. However, this 
technique heavily depends on whether the explicit solutions 
of the considered differential equations are or can be reduced 
to polynomials. So, this approach can not be applied to gen- 
eral linear hybrid systems, let alone nonlinear systems. 

To deal with more complicated systems, recently, a deduc- 
tive method has been established and successfully applied 
in practice [171 [18] , which can be seen as a generalization of 
the so-called Floyd-Hoare-Naur inductive assertion method. 
Inductive assertion method is thought to be the dominant 
method for the verification of sequential programs. To gen- 
eralize the inductive method to hybrid systems, a logic sim- 
ilar to Hoare logic which can deal with continuous dynam- 
ics is necessary. For example, differential-algebraic dynamic 
logic [16] due to Platzer was invented by extending dynamic 
logic with continuous statements. Recently, Liu et al [15] 
had another effort by extending Hoare logic to hybrid sys- 
tems for the same purpose. 

The most challenging part of the inductive method is how 
to discover invariants of hybrid systems. An invariant is a 
property that holds at all reachable states from any initial 
state that satisfies this property. If we can get invariants 
that are strong enough to imply the safety property to be 
verified, then we succeed in safety verification without solv- 
ing differential equations, while differential equations have 
to be exactly solved or approximated in the methods via di- 
rectly computing reachable sets. In particular, if the term 
expressions of a hybrid system are or can be reduced to poly- 
nomials, the so-called inductive invariants [25] can be effec- 
tively generated using the constraint-based approach [9]. 

The key issue in generating inductive invariants of a hybrid 
system is to deal with continuous dynamics, i.e. to generate 
continuous invariant of the continuous evolution at each lo- 
cation (mode) of the hybrid system. A location (mode) of 
a hybrid system is usually represented by a continuous dy- 
namical system with domain and initial condition (CDSwDI 
for short) of the form (H, f, S), where f is a vector field, H 
is a domain restriction of continuous evolution, and ECfl 
is a set of initial states. A property ip is called a continuous 
invariant (CI for short) of (H,f,a), if it is always satis- 
fied along any trajectory whose starting point satisfies H, as 
long as the trajectory still remains in domain H . For p to 
be a CI of (H, f , H), the more complex the forms of H, f, 3 
and ip are, the more intricate constraints should be induced 



accordingly. A global (discrete) inductive invariant of a hy- 
brid system consists of a set of CIs such that: the initial 
condition of the initial location (mode) entails the CI of the 
initial location, and if there is a discrete transition between 
two locations of the system, then the CI at the pre-location 
implies the CI at the post-location w.r.t. the discrete tran- 
sition. There are many methods, e.g. [31], for certifying and 
generating global inductive invariants of a system by using 
the global inductiveness. Therefore in this paper we only 
focus on how to generate CI at a single location (mode), i.e. 
a CDSwDI. 

1.2 Related Work 

In the literature, lots of efforts have been made towards 
algebraic or semi-algebraic continuous invariants generation 
for polynomial dynamical systems, even though CI may have 
different synonyms. 

The generation of algebraic invariants, i.e. sets defined by 
polynomial equations are usually based on the theory of ide- 
als in polynomial ring. In [25], to handle continuous differ- 
ential equations, two strong continuous consecution condi- 
tions are imposed on the predefined templates, and then the 
two conditions are encoded as ideal membership statements. 
The work in [S3] showed that the set of algebraic invariants 
of a linear system, which forms a polynomial ideal, is com- 
putable. The above two approaches both use Grobner bases 
computation. An efficient technique that computes alge- 
braic invariants as the greatest fixed point of a monotone 
operator over pseudo ideals was presented in [24] . 

As for the polynomial inequality case, to guarantee that 
p > is a CI of a PDS (H, f, 3), it is useful to analyze the 
direction of f with regard to the set p > 0. In |19l 120] . the 
authors proposed the notion barrier certificates for safety 
verification of hybrid systems. A polynomial p could be a 
barrier certificate if the unsafe region is included in p < 0, 
and at any point in p = 0, f points (strictly) inwards the 
set p > 0. Such polynomial barrier certificates can be ef- 
fectively computed using sum of squares decomposition and 
semi-definite programming. In [9] a similar idea is adopted 
and by reducing the conditions of CI to semi-algebraic con- 
straints, invariants that are boolean combinations of poly- 
nomial equations and inequalities can be generated. Unfor- 
tunately, the approaches in [191 [5] were discovered in [271 
1261 116] to have certain problems with their soundness, if at 
the boundary of a CI, f is not strictly inward the invariant 
set. In [17] the authors proposed the notion of differential in- 
variant and the principle of differential induction. Basically, 
p > is a differential invariant of (H, f , S) if at any point in 
H, the directional derivative of p in the direction of f is non- 
negative. Such requirement is strong, but provide a sound 
and effective way of generating complex semi-algebraic con- 
tinuous invariants. 

1.3 Our Contribution 

The problem of checking inductiveness for continuous dy- 
namical systems was considered in [27J and [25]. Therein 
various sound checking rules are presented, which are also 
complete for classes of continuous invariants, e.g. linear, 
quadratic, convex and smooth invariants. The authors even 
proposed a sound and relatively complete rule using higher 
order Lie derivatives, which is quite similar to ours. How- 



ever, in their relatively complete rule there are infinitely 
many candidate tests and thus is computationally infeasi- 
ble. Our work in this paper actually resolves this problem 
and completes the gap left open in |27l 126] 

The relative completeness of our method means that for a 
given PDS, if there is an SAI of the predefined template, 
then our method can indeed discover one SAI using this 
template. Thus, there are two advantages with our approach 
comparing with the well-established approaches: firstly, more 
general SAIs can be generated; secondly, a by-product of the 
completeness of our approach is that whether a given semi- 
algebraic set is really an SAI of a given PDS is decidable. 
This is quite useful in the interplay of discrete invariant gen- 
eration (global) and CI generation (local). 

1.4 Paper Organization 

The rest of this paper is organized as follows. Section [2] 
presents some basic notions and fundamental theories on 
algebraic geometry and dynamical system. Section [3] gives a 
formal definition of the SAI generation problem. In Section 
[4j we prove the fundamental results based on which our 
method is developed. Section [S] illustrates the basic idea of 
our approach in simple cases. How to apply our approach to 
general cases is investigated in Section [6] Two case studies 
are given in Section [7J Section [5] concludes this paper with 
a discussion of future work. 

2. PRELIMINARIES 

In this section, we will recall some basic notions. 

2.1 Polynomial Ideal Theory 

Let K be an algebraic field and K[a;i, . . . , x n ] denote the 
polynomial ring with coefficients in K. In this paper, K will 
be taken as the rational number field Q. Customarily, let 
x denote the n-tuple (x±, ■ ■ ■ , x n ) with dim (x) = n, and a 
polynomial in Q[xi, . . . , x n ] (Q[x] for short) may be written 
as p(x) or p simply. A parametric polynomial 

p(u, X) G Q[til, U 2 , . . . ,U t ,X!,X2, ■ ■ ■ ,X n ] 

is called a template, where x are variables taking values from 
K™ and u are coefficient parameters taking values from R 4 . 
Given uo El, we call the polynomial p uo (x) resulted by 
substituting uo for u in p(u, x) an instantiation of p(u, x). 

In what follows, we recall the theory of polynomial ideal 
(refer to [B]). 

Definition 1. A subset I C K[x] is called an ideal if 

i) € I. 

ii) I/p(x),j(x)£j, then p(x) + g(x) G /. 

Hi) 7/p(x) £ I and ft(x) G K[x], then p(x)/i(x) G I ■ 

It is easy to check that if pi, ■ ■ ■ ,pk G K[x], then 

k 

(Pi,-- - ,Pk) = {$2pihi | Vt G [l,k].hi GK[x]} 

i=l 



is an ideal. In general, we say an ideal / is generated by poly- 
nomials gi, ...,g k € K[x] if / = {gi, . . .,g k ), and {gi, ...,g k } 
is called a set of generators of /. 

Theorem 2 (Hilbert Basis Theorem). Every ideal 
I C K[x] has a finite generating set. That is, I — {gi, . . . , g k ) 
for some gi , . . . , g k G K[x] . 

For its proof, please refer to [6]. Based upon this result, it 
is easy to see that 

Theorem 3 (Ascending Chain Condition). For any 
ascending chain 

h C l 2 C ■ ■ ■ C h C ■ ■ • 

of ideals in polynomial ring K[x], there must be N such that 
for all£> N, I e = In- 

2.2 Semi-algebraic Set 

An atomic polynomial formula over variables xi, x 2 , ■ ■ ■ , x n 
is p > 0, where p is a polynomial in Q[x] and t> G {>, >, <, < 
, =, A quantifier free polynomial formula is a boolean 
combination of atomic polynomial formulas using connec- 
tives V, A, -i, — >, etc. 

Definition 4 (Semi-algebraic Set). A subset S of 
R" is called a semi-algebraic set, if there is a quantifier free 
polynomial formula ip s.t. 

S = {x G R" | ip(x) is true} . 

We will use the S(ip) to denote the semi-algebraic set defined 
by a quantifier free polynomial formula ip. It is easy to check 
that any semi-algebraic set can be transformed into the form 

i Ji 

S(\J f\ pij >0), where > G {>, >} . 

i=ij=i 

Note that semi-algebraic sets are closed under basic set op- 
erations, since 

• S(<pi) n S(if2) = S((fi A ip 2 ) ; 

• S(ipi) U S(<p 2 ) = S((f! V tp 2 ) ; 

• S(ipi) \ s(ip 2 ) = S((pi) n S(ip 2 ) c = s(ipi a ^^2) , 

where A c and ^4 \ _B stand for the complement and subtrac- 
tion operation of sets respectively. 

2.3 Continuous Dynamical System 

We recall the theory of continuous dynamical systems in the 
following. Please refer to [10] for details. 



2. 3. 1 Trajectories of Continuous Dynamical System 

An autonomous continuous dynamical system (CDS) is mod- 
eled by first-order ordinary differential equations 

x = f(x) , (1) 

where x G R" and f is a vector function from I" to K n , 
which is also called a vector field in R n . 

If f satisfies the local Lipschitz condition, then given xo G 
R™, there exists a unique solution x(xo;t) of JTJ defined on 
(a, 6) with a < < b s.t. 

Vt G (a, b). dx t*°' f ) = f( x (x ;t)) and x(x ;0)=x . 

When xo is clear from the context, we just write x(xo;t) 
as x(t). Based upon this, we shall use the following useful 
notions for our discussion in the sequel. 

Definition 5 (Trajectory). Suppose x(xo;t) is the 
solution to £|P defined on (a, b) with a < < b, as stated 
above. Then 

• x(xo;t) (x(t) for short) defined on [0, b) is called the 
trajectory of £1]) starting from xo; 

• x(xo; —t) (x(—t) for short) defined on [0, —a), resulted 
by substituting —t for t in x(xo; t), is called the inverse 
trajectory of starting from xo . 

2. 3. 2 Polynomial Vector Field and Lie Derivatives 

In this paper, we focus on vector fields defined by polyno- 
mials. 

Definition 6 (Polynomial Vector Field). Suppose 
f = (h,h, ••• ,fn) in OP- Iff or all 1 < i < n, fi is a poly- 
nomial in Q[xi, x 2 , . . . , x n ], then f is called a polynomial 
vector field, denoted by f G Q"[x]. 

Obviously polynomial vector fields satisfy the local Lipschitz 
condition. Let p be a polynomial in ring Q[x], which is a 
scalar function. Then the gradient of p : 

d ^ , dp dp dp . 

cbc dxi ' dx 2 ' ' dx n 

is a vector of polynomials with dimension dim (x) . Thus 
the inner product of a polynomial vector field f and the gra- 
dient of a polynomial p is still a polynomial, if f G Q n [x] 
and dim (x) = n (in the rest of the paper, this will be as- 
sumed implicitly). Therefore we can inductively define the 
Lie derivatives of p along f , Lfp : R" i-> R, for k G N, as 
follows: 

. L?p(x)=p(x), 

. Lfp(x) = (^Lf-yxJ.^x)), for k > 0, 

where (■, ■) is the inner product of two vectors, that is, 
(a, b) = J27=i aibi f° r a = ( ai ) • ■ • ) a ") and b = (bi, . . . ,b n ). 



Example 7. Suppose f = (— x, y) and p(x,y) = x + y 2 
then 

L° t p = x + y 2 
L}p = -x + 2y 2 
Ljp = x + Ay 2 



For a parametric polynomial p(u,x), we can define the Lie 
derivatives of p along f similarly if the gradient of p(u, x) 
is taken as ^p(u, x), and all L\p(\i, x) are still parametric 
polynomials. 

Given a polynomial vector field, we can make use of Lie 
derivatives to investigate the tendency of its trajectory in 
terms of a polynomial p (as an energy function). To capture 
this, look at Example shown in I of Figure [T] 

In I of Figure[T] arrow B denote the corresponding evolution 
direction according to the vector field f = (— x,y), and we 
could imagine the points on the parabola p(x, y) = x + y 2 
with zero energy, and the points in white area have pos- 
itive energy, i.e., p(x,y) > 0. Arrow A is the gradient 
^pI(-i.i) °f p{ x tV)j which infers that the trajectory start- 
ing at ( — 1, 1) will enter white area immediately if the angle, 
between gj:P|(-i,i) an d the evolution direction at ( — 1, 1), 
is less than ^, that is, the 1-order Lie derivative is posi- 
tive. Thus the 1-order Lie derivative L\p\^_x^ = 3 of p 
along f (the inner product of j§jp|(-i,i) an d f(x,y)\(_i t i)) 
predicts that there is some positive d > such that the 
trajectory starting at ( — 1, 1) (curve C) has the property 
p(x((-l, 1), t)) > for all t G (0, d). 

However, if the angle between gradient and evolution di- 
rection is ^ or the gradient is zero-vector, then 1-order Lie 
derivative is zero and it is impossible to predict trajectory 
tendency by means of 1-order Lie derivative. In this case, 
we resort to nonzero higher order Lie derivatives. For this 
purpose, we introduce the pointwise rank of p with respect 
to f as the function y p> f : K" h)NU {oo} defined by 

7p, f (x) = min{£: G N | L?p(x) / 0}, 

if such k exists, otherwise y Pt f (x) = oo. 



Example 8. Let f(x,y) = (x = —2y,y — x 2 ) andh(x,y) 
x + y 2 , then 

L°h(x,y) = x + y 2 
Lth(x,y) = -2y + 2x 2 y 
Lfh(x,y) = —8y 2 x — (2~2x 2 )x 2 




t 1 \ \ \ W\\N 
t \ \ WVWV > > > , 




/ ss^J> t 

/ / ss*-^ — 

J / / 

J I / / ssss^^ 

1 I / / / S S/s^ 

111// / ssss 
I I I / J s ssss 
III// / / S S S 
I i ; / ////// 



I: 1-order Lie Derivative and Gradient II: Demand for High Order Lie Derivative 



Figure 1: Lie Derivatives 



we shall show how to use such high order Lie derivatives to 
analyze the trajectory tendency. 



For analyzing trajectory tendency by high order Lie deriva- 
tives, we need the following fact. 

Proposition 9. Given polynomial functions p andf, then 
xo is on the boundary <S(p(x) = 0) iffj p ,t (xo) 7^ 0. Suppose 
Xo = x(0), then it follows that 

(a) i/7 Pi f(xo) < cxd and L^ p ' r x °'p(xo) > 0, then 

3e > 0,Vt G (0,e).p(x(t)) > 0; 

(b) if 7 Jlj f(xo) < cxd and Lf P ' r x °'p(xo) < 0, then 

3e > 0,Vi G (0,e).p(x(t)) < 0; 

(c) i/7 P ,f(xo) = 00, then 

Be > 0,Vt G (0,e).p(x(t)) = 0. 

Proof. Polynomial functions are analytic, so f is analytic 
and thus x(t) is analytic in a small interval (a, b) containing 
zero [29]. Besides, p is analytic, so the Taylor expansion of 
p(x(t)) at t = 

, . , „ dp d 2 p t 2 

P (x(*)) = p(xo) + JL.t + -J£.- + ... 

t 2 

= L?p(x ) + Ljp(xo) ■ t + L?p(x ) .- + ... (2) 

converges in another small interval (a',b') containing zero 
[13| . Then the conclusion of Proposition [5] follows imme- 
diately from formula J2) by case analysis on the sign of 

L/' p(x ). □ 



Here, 7m(°>°) 



7h, f (-4,2) = 1, etc. 



Look at II of Figure\l\ At point ( — 1, 1) on curve h(x,y) — 
0, the gradient of h is (1,2) (arrow A) and the evolution 
direction is (—2, 1) (arrow B), so their inner product is zero. 
Thus it is impossible to predict the tendency (in terms of 
curve h(x, y) = 0) of trajectory starting from ( — 1, 1) via its 
1-order Lie derivative. By a simple computation, its 2-order 
Lie derivative is 8. Hence Jh,t( — 1,1) = 2. In the sequel, 



Based on this proposition, we introduce the notion of trans- 
verse set to indicate the tendency of the trajectories of a con- 
sidered polynomial vector field in terms of the first nonzero 
Lie derivative of a underlying polynomial as follows. 

Definition 10. Given a polynomial p and a polynomial 
vector field x = f(x), the transverse set off over the domain 
<5(p(x) > 0) is 

Trans f1 - P ={x G R" | 7 P , f (x) < cxd A ij p ' f(x) p(x) < 0}. 



Intuitively, if x £ Trans ff p , then either x is not in <S(p(x) > 
0) or x is on the boundary of <S(p(x) > 0) such that the 
trajectory x(f) starting with x will exit 5(p(x) > 0) imme- 
diately. 

3. SEMI-ALGEBRAIC INVARIANT 

A hybrid system consists of a set of CDSs, a set of jumps 
between these CDSs, and a set of initial states. The CDSs 
in a hybrid system are a little different from the standard 
ones, as normally they are equipped with a domain and a 
set of initial states, in the form (H, f, H), where H is used 
to force some jumps outgoing the mode to happen, that is, 
a hybrid system can stay within a mode only if the domain 
of the current mode holds, and S is a subset of H , standing 
for the set of initial states. Obviously, a CDS can be seen 
as a special CDSwDI by letting H = 1". The goal of this 
paper is to present a complete method for automatically 
discovering SAIs of PDSs, based on which, as we discussed 
in the introduction, we can finally verify polynomial hybrid 
systems. 

3.1 Continuous Invariants of CDSwDI 

The notion of continuous invariant of CDSwDI is quite simi- 
lar to the one of positive invariant set of CDS [2j • Informally, 
a continuous invariant P of a CDwDI (H, f , S) is a super- 
set of E such that all continuous evolutions starting from S 
keep within P if they are within H. Here, we give a formal 
definition of CI adapted from [17] as follows: 

Definition 11 (Continuous Invariant [T7j). Given 
a CDSwDI (H, f , S) with a C H C R n and f : R n >->• R n 
that is local Lipschitz continuous, a set P C R n is called a 
continuous invariant of (H, f, H), iff 

1. S — ¥ P; and 

2. for all Xo G P , and for any T > 0. 

(Vt G [0,T].x(x o ;i) 6 H) —¥ (Vt G [0, T].x(x ; t) 6 P). 

Regarding Definition II II we would like to give the following 
remarks. 



1. Continuous invariant in Definition [TT] is more general 
than standard positive invariant set of continuous dy- 
namical systems. However, if H — R" and H = P, 
then the two notions coincide. 

2. One may have noticed that in Definition 1111 a con- 
tinuous invariant set P is not necessarily a subset of 
domain H . In fact, any P satisfying H C P is contin- 
uous invariant of (H, f, H). This seems weird at first 
sight, because such continuous invariant sets are use- 
less if we only concern the CDSwDI in isolation. But it 
would be quite useful in the verification of the hybrid 
system if we assume that the continuous invariant of a 
mode always holds if the hybrid system does not stay 
within the mode. 



3.2 PDSandSAI 

Definition 12. A CDSwDI (H, f , S) is called a polyno- 
mial dynamical system with semi-algebraic domain and ini- 
tial states (PDS), if H and H are semi- algebraic sets and f 
is a polynomial vector field in Q n [x] . 

A continuous invariant of a PDS is called a semi-algebraic 
invariant (SAI) if it is a semi-algebraic set. 

In the subsequent sections, we will present a sound and com- 
plete method to automatically discover SAIs for a PDS. 

4. FUNDAMENTAL RESULTS 

The set Trans f^ p in Definition [TD] plays a crucial role in our 
theory. First of all, we have 

Theorem 13. The set Transt^ p is a semi-algebraic set 
if p is a polynomial and f is a polynomial vector field, and 
hence it is computable. 

To prove this theorem, it suffices to show 7 P ,f(x) is com- 
putable for each x G <S(p(x) > 0). However, 7 Pi f(x) may be 
infinite for some x 6 <S(p(x) > 0). Thus, it seems that we 
have to compute Lf p(x) infinite times for such x to deter- 
mine if x G Transffp. Fortunately, we can find a uniform 
upper bound on y Pi f (x) for all x with 7 P ,f(x) being finite. 

Theorem 14 (Rank Theorem). If p and f are poly- 
nomial functions, then there is an integer N such that for 
all x G R n , 7p,r(x) < oo implies 7 Pi f(x) < TV. Later on, 
such an N is called the rank of p and f, denoted by 7 P ,f . 

Proof. Let D t = {x | Vm < l.Lfp(x) = 0} for / > 0. 
Note that the sequence {DijjgN is decreasing. We will show 
that there is an N such that Di = Dn for all / > N. 

Since p and f are polynomial functions, all L™p(x) must 
be polynomials for any m G N. We consider the polyno- 
mial ideal I generated by {Lf l p(x) | m G N}. Let I m = 
(JD?p(x),Ljp(x),--- ,L?p(x)>. Then/ = U m /„. By The- 
orem [3] there is k such that I = Ik- Thus for all I > k, 
there are gt G R[a;i, ■ ■ ■ , x n ] for i < k such that L l t p(x) = 
E.aftifPW for allxGR". 

Fix I > k. If x G Di, then L^p(x) = £\ <jfc giL}p(pt) = 
since all LJ-p(x) = for i < k as x G Di. Let N = k + 1. 
Then D t = D N for all 2 > N. Thus, if x G Dn then 
7 Pi f(x) = oo. Therefore, 7 P ,f(x) < oo implies 7 P ,f(x) < 
N. □ 

Now, it suffices to compute the values 

L°p(xq), ifP(xo) • ■ • , Lf p ' f p(x ) 

to determine whether 7 P ,f (xo) is infinite. Therefore if 7 Pj f is 
computable then Transt^ p is computable too. It is desirable 
to get an expression of 7 Pi f for given p and f. However, 
we did not find it yet. Nevertheless, a computable upper 
bound for 7 P ,f can indeed be found effectively according to 
the following theorem. 



Theorem 15 (Fixed Point Theorem). If 
L f +1 p a (L°p, L)p, ■■■ , L\p), 
then L^p G (L°p, L\p, ■■■ , L\p), for all m > i. 

Proof. We prove this theorem by induction. Assume 
this conclusion is true for all I < k with k > i. Espe- 
cially, LfP € (Lfp, L}p, ■ ■ ■ ,Lfp). Then there are gj G 
R[a;i, • • • , i„] for j < i such that 

LfP = ^gjLjp. (3) 

j<i 

By the definition of Lie derivative and equation @, it follows 
that 

rfe + l 

L f p 
= (|-Lfp,f) 

j<i j<i 
j<i j<i 

By induction hypothesis, L\p is in (Lf p, Lf p, • • ■ , L\p) . So 

Lf +1 p G {Lfp, Lfp, • • • , L\p). 
By induction, the theorem follows immediately. □ 

Let iV Pl f be the minimal i satisfying the condition of Theo- 
rem [15] in the sequel. Then y Pl f < N p j. Look at Example 
[8] where Nu,f = 2. Now, applying above two theorems we 
can prove Theorem 1131 

Proof of Theorem [13] Since j Pi f < N Pt f, 

x G Transf tp iff j p ,t(x) < N p , f A L f ,p,f (x) p(x) < 0. 

Therefore, Transf^ p is computable as JV P) f is computable 
according to Theorem 1151 Given p and f , let 

^ (0) (p,f,x)= p(x) <0, (4) 

for 1 < % e N, 

(p, f , x) = ( /\ L f p(x) = ] A Lfp(x) < 0, (5) 

\0<j<i / 

and 

7T(p,f,x) = V ^ W (p,f,x). (6) 

0< l <JV pf 

By Theorem [14] and 7 P ,f < N Pt t, we have another equiva- 
lence 

x G Trans^p iff 7r(p, f , x)holds. (7) 



In fact, 7r^(p, f, x) here is a particular semi-algebraic sys- 
tem, and so 7r(p, f, x) is a union of semi-algebraic systems. 
Thus Transtfp is actually a semi-algebraic set. □ 

In the SAI generation, it actually makes use of parametric 
polynomials p(u,x) with parameter u = («i,W2,..., Ut). 
The following theorem indicates Theorem [2] still holds after 
substituting p(u, x) for p(x). 

Theorem 16 (Parametric Rank Theorem). Gi?;en 
polynomial functions p(u, x) and f , t/iere is an integer N 
such that 7p UQ ,f(x) < oo implies 7 Puo ,f(x) < N for all 
x£l" and all u G K*. 

This proof is quite close to the one of Theorem 1141 The 
difference, between the proof of this theorem and the one of 
Theorem 1141 lies in the settings of polynomials. Here, we 
consider polynomials p and f in the polynomial ring R[u, x]. 
Similarly, we also introduce the rank function on polynomi- 
als with parameters, still denoted by 7 P ,f . Accordingly, let 
N Pt f denote the upper bound computed by a similarity of 
Theorem [151. 

5. GENERATING SAI IN SIMPLE CASE 

Given a polynomial vector field x = f (x) with a semi-algebraic 
domain H and initial condition S, our task is to find a semi- 
algebraic set P such that P is an SAI of (H, f , H) . 

First of all, we illustrate our idea by showing how to compute 
an SAI of the simple form P = p(x) > for a simple domain 
H= h(x) > 0. For convenience, we will simply write the dy- 
namical system (/i(x) > 0, f , S) as (h, f, S). Notice that P 
is an SAI of (h,f, 3) only if Vx(H(x) — > -P(x)). It is evident 
that if x(0) is in the interior of S(p(x) > 0) n <S(/i(x) > 0), 
then the trajectory x(t) starting at x(0) will remain in the 
interior within adequately small t > 0. Therefore, the con- 
dition of continuous invariant could be violated only at the 
points on the boundary <S(p(x) = 0) of <S(p(x) > 0). Thus 
by Definition 1101 and Proposition [5] p > is an invariant of 
(h, f , H) if and only if it meets Vx(S(x) — > P(x)) and 

x G 5(p(x) = 0) —>■ x ^ TranSf-t P \ Transt^h, 

i.e. 

x G <S(p(x) = 0) -¥ x G {TranSffpY V Trans f f h - (8) 

By equivalences (0), the formula ([§} is equivalent to 
p(x) = 0-+(-H7r(p,f ) x)V7r(/i,f,x)) ) 

i.e. 

(p(x) = 0Ai(p,f,x))^f(fe,f 1 x). (9) 

Let #(/i,p, f, x) denote the formula (5). According to this 
equivalence, we obtain the sufficient and necessary condition 
for being SAI as follows. 

Theorem 17 (Criterion Theorem). Given a polyno- 
mial p, p(x) > is an SAI of system (h, f , H) if and only if 
the formula 9(h,p, f, x) A (H(x) — ► p(x) > 0) is true for all 
x G R n . 



Now, we are ready to present a constraint based approach to 
generate polynomial continuous invariants. The basic idea 
is as follows: 




III: SAI with Domain 



IV: SAI in General Case 



I. First, set a parametric polynomial p as 

P^U, XJ — y Ui^i2 ■ ■ ■i n Xj X2 ' ' ' X n . 

* 1 + *2 H Mn — k<d 

(10) 

Such a parametric polynomial is called a template con- 
ventionally. There are t = ( n J d ) many terms and ac- 
cordingly t many parameters Ui ± i 2 ...i n . For simplicity, 
let u denote such a t-tuple {u ili2 ... in } il+ i 2 + ... + i n=k <d- 

II. Then we appy the quantifier elimination (QEQfor short) 
to the formula Vx.(<9(h,p, f, x) A(E(x) ->- p(x) > 0)). If 
the output is false, then there is no polynomial contin- 
uous invariant of degree < d for (h, f, H). Otherwise, 
it will give us a constraint on u, denoted by R(u). In 
fact, R(u) is a union of semi-algebraic systems (refer 
to [55]). 

III. Let Si„ v be the set of solutions to R(u). Now, using a 
tool like DISCOVERER [30] to pick a u G Si m and 
then p U p (x) > is an invariant of (h, f , H) by Theorem 

era 

Remark 

1) Note that in real applications, one usually picks up the 
specific terms with nonzero coefficients. A simplified 
template could make the resulted polynomial satisfy 
special conditions and also reduce the complexity of 
the searching process. 

2) In the above Step III, if the dimension of Si„ v equals 
t, then we can easily select a rational sample point uo 
from Si nv and the obtained p uo (x) > is an SAI in R"; 
otherwise when it is difficult (or impossible) to get a 
rational instantiation for u, we can always compute an 
algebraic sample point uo € Sinv, that is, uo is itself 
defined by polynomial equations. It is easy to show 
that in the latter case, p uo (x) > is also an SAI in 



Example 18. Again, we make use of Example\8\to demon- 
strate above method. That is, f(x,y)=(x = —2y,y = x 2 ). 
Here, we take H={(x,y) G R 2 | h(x,y) = —x — y 2 > 0} 
as the domain and E={(— 1, 0.5), (— 0.5, — 0.6)} as the ini- 
tial states. Apply procedure (I-III), we have: 

1. Set a template p(u,x) := ayix — y) > where u=(a). 
Then we have 7 Pi f < N p j = 2. 

2. Compute the corresponding formula 

0(h,p,f,x) = P = 0A(^, x V^. x V^»J^ 

rfL V V 

1 QE has been implemen ted in many computer algebra tools 
such as DISCOVERER [30], QEPCAD g] and Redlog [8j. 



Figure 2: Semi- Algebraic Invariants 



where 

(0) ^ 2 . n 

<f,x = -x-y <0, 

tt« x = -x-y 2 = 0A2y-2x 2 y < 0, 

^h 2 f,x = -x-y 2 = 0A2y- 2x 2 y = A 

8xy 2 + 2x 2 - 2x 4 < 0, 

= a v( x ~ V) < 0. 

n pfx = ay{x — y) — A —2ay 2 + ax 3 — 2yax 2 < 0, 

7Tp 2 f jX = ay(x — y) — A —2ay 2 + ax s — 2yax 2 = A 

AOaxy 2 - 16ay 3 + 32ax 3 y - Wax 4 < 0. 

Then we implement quantifier elimination on formula 
Va5,2/(0(/i,p ) f,x)A(O.5a(-l-O.5) > 0A-0.6a(-0.5 + 
0.6) > 0). We get the constraint on a is a < 

3. Just pick a = —1, and then —xy + y 2 > is an invari- 
ant for (H, f , 5) . The grey part of the picture III is the 
intersection of this invariant and domain H . 

6. GENERAL CASE 

Now, we consider how to automatically discover SAIs of a 
PDS in general case. Given a PDS (H, f , H) with 

I Ji N Mi 

]Y = 5(\/Ap. J W^), 5=5(\/AfeW>0) (11) 

i= 1 j = l i= 1 j = l 

and f € Q"[x], where S C H and >£{>,>}. The procedure 
for automatically generating SAIs with a general template 

K L k 

P = S(\J /\p fci (u fci ,x)>0), where> G {>,>} 
fe=i 1=1 

for (H, f, S), is essentially the same as the steps (I-III) de- 
picted in the previous section. However, we must sophis- 
ticatedly handle the complex combination due to the com- 
plicated boundaries. In what follows, we will first establish 
the necessary and sufficient conditions for general CIs of 
a CDSwDI by some topological analysis. Then we show for 
SAIs of a PDS, these conditions can be encoded equivalently 
into first order polynomial formulas. 

6.1 Necessary and Sufficient Condition for CI 

First of all, we study a necessary and sufficient condition 
like formula ([5J for P being an invariant of (H, f , H) . To 
analyze the evolution tendency of trajectories dominated by 



a locally Lipschitz continuous vector field f : R" H» R n in 
terms of a subset A of K™, we need the following notions 
and notations. 

In f (A) = {x G K n | 3e > OVt G (0, e). x(x ; t) G A}, 
Ivln f (A) = {x G R" | Be > OVt G (0, e). x(x ; -t) G A}. 

Intuitively, Xo G Inf(^4) means that the trajectory starting 
from xo enters A immediately and keeps inside A for some 
time; xo G Ivlrif(A) means that the trajectory through xo 
reaches xo from the interior of A. 

Analogous to Inf (A) and Ivlnf (A), we introduce another two 
notations Outf (A) and IvOutf (^4). 

Outf (A) = {x G R" | Be > OVt G (0, e). x(x ; t) G A c }; 
IvOutf (A) = {xo G R" | Be > OVt G (0, e). x(x ; -t) G A c }, 

where A c stands for the complement of A in R" . Intuitively, 
xo G Outf (A) means that the trajectory starting at xo leaves 
A immediately and keep outside A for some time in future; 
xo G IvOutf(yl) means that the trajectory passing through 
xo reaches xq from the outside of A. 

Based on the above notations, we have 

Theorem 19. Given a CDSwDI {H,f,Z) with H C R n , 
S C R n and locally Lipschitz continuous f : R n i-> R™, a 
subset P of R n is a CI of (H, f , H) if and only if 

1. EC P; 

2. Vx EPnfln In f (tf).x G In f (P); 

3. Vx G P c nHn Ivln f (tf).x G (lvIn f (P)) c . 

Proof. First of all, the proof about condition 1 is trivial. 
In what follows, we focus on the proofs about conditions 2 
and 3. 

Suppose P is not a CI of (H, f, H). According to Defi- 
nition [HI there exists x G P n H, To > and Ti G (0,T ] 
s.t. 

Vt G [0, T a ]. x(t) G H and x(Ti) £ P. 

It is not difficult to check that the set 

Tp = {T G R,T > | Vt G [0,T].x(t) G P} 

is not empty, and is a right-open or right-closed interval 
[0,Tp) with < Tp < Ti. If [0,T P > = [0,T P ], then T P < 
Ti. Thus x(T P ) ePflfln In f (if), but x(T P ) ^ In f (P), 
otherwise T P could not be the right end point of 7p. So 2 
is violated. 

If [0,T P > = [0,T P ), then T P > and x(T P ) G P c n H. 
Furthermore, Vt G [0, T P ).x(i) £ PnH, i.e. 

Vt G [0,T P ).x(x ;t) ePnH, 

which is equivalent to 

Vt G [-T P ,0).x(x o ;t + T P ) EPnH. 



Let x = x(x ;T P ). Then x(x ; t) = x(x ; t + T p ). Thus we 
get 

Vt G [-T P , 0). x(x ; t) EPnH, 

i.e. 

Vt G (0,T P ].x(x o ;-t) EPnH. 
This means Xq G Ivln f (if) n Ivln f (P). Besides, 

xo = x(x ; 0) = x(x ; T P ) = x(T P ) eP c nH. 
So 3 is violated by x . 

"=>" If 2 does not hold, then there exists xi G PnH, e\ > 
and < ti < ei such that Vt G [0, ei). x(xi; t) G if and 
x(xi;ti) <£_ P. By Definition [TT] P could not be a CI. 

If 3 does not hold, then there exists 

x 2 G P c n H n Ivln r (if) n Ivln f (P). 
This means there exists £2 > such that 

Vt G (0,e 2 ).x(x 2 ;-t) ePnH, 

i.e. 

Vt G (-e 2 ,0).x(x 2 ;t) G PnH. 

Thus 

Vt G [-e 2 /2,0).x(x 2 ;t) ePnH. 

i.e. 

Vt G [0, e 2 /2). x(x 2 ; t - e 3 /2) EPnH. 

Let x 2 = x(x 2 ;-e 2 /2). Then x(x' 2 ;t) = x(x 2 ;t - e 2 /2). 
Thus we get 

Vt G [0,e 2 /2).x(x 2 ;t) EPnH. 

Furthermore, 

x(x' 2 ; e 2 /2) = x(x 2 ; 0) = x 2 G P c D H. 

Thus the trajectory starting from x 2 violates the condition 
of Definition 1111 so P could not be a CI either. □ 

6.2 Necessary and Sufficient Condition for SAI 

Given a PDS (H, f , H) and an SAI P, to encode the condi- 
tions in Theorem [19] as polynomial formulas, it is sufficient 
to show that Inf(_ff), Inf (P), Ivlnf (H) and Ivlnf (P) are all 
semi-algebraic sets. By the structure of H, it is natural to 
consider the relation between lrif(H) and Inf [S(pij t> 0)). 
Through a careful analysis, we establish the following cru- 
cial equality: 



Theorem 20. For a semi-algebraic set H defined by for- 
mula (lip and a polynomial vector field f , we have 

I Ji 

ln t (H)= |J nin f (<S(p» j t >0)). 

i=ii=i 

To prove Theorem 1201 we need the following two Lemmas, 
wherein > G {>, >}. 



Lemma 21. For any atomic polynomial formula pt> and 
polynomial vector field f, and for any xo € R n , we have 
either x G In f (<S(p>0)) or x G Outf (<S(p > 0)) . 

Proof. Polynomial functions are analytic, so f is ana- 
lytic and thus x(xo; t) (x(t) for short) is analytic in a small 
interval (a, b) containing 0. Besides, p is analytic, so the 
Taylor expansion of p(x(t)) at t = 

p(*(t)) = p(x ) + |.t+g.| + ... 

= L?p(xo) + LfP(xo) ■ t + Lfp(x ) • J; + • • ' 

converges in (a, b). Then the proof proceeds by case analysis 
on the sign of Lf P,t ' x °^p(xo): 

• if 7 P ,f(x ) = oo, then Be > (M G (0, e).p(x(i)) = 0, so 
x G Inr(5(p > 0)) and x G Out f (<S(p > 0)); 

• if L^' f(xo) p(x ) > 0, then Be > OVf G (0, e).p(x(*)) > 
0, so x G In f (S(p > 0)) and x G In f («S(p > 0)); 

• if L^ f(xo) p(x ) < 0, then Be > OVt G (0, e).p(x(t)) < 
0, so xo G Outf (5 (p > 0)) and x G Out f (S (p > 0)). 

Then we can see that for all xo G R n , either xo G Inf (S(p > 
0)) or x G Out f (<S(p>0)). □ 

Lemma 22. For any semi-algebraic set B = <S(/\^ =1 pj > 
0) , and polynomial vector field, we have 

1. In f (B) = n/ =1 In f (5(p J >0)); 

2. /or any xo G R n , eit/ier xo G Inf (B) or xo G Outf (B). 

Proof. 1. "C" Trivial. 

"D" For any xq G n/=i I n f (^(Pj > 0)) , there exist pos- 
itive ei, 62, . . . , ej such that for all 1 < j < J and any 
t G (0,ej), pj(x(xo;t))>0. Let e = min{ei,e 2 , . . . ,ej}. 
Then for any t G (0, e), Ajd Pj( x (x ; t)) > 0. Thus 
x G In f (B). 

2. By 1 if xo ^ Inf (B), then there exists jo G [1, J] 
such that xo ^ Inf (5(pj > 0)). By Lemma [2P1 xo G 
Outf (<S(pj > 0)). Thus there exists e > s.t. for all 
t G (0,e), -.(p jo (x(x ;t)) >0). Then for all t G (0,e), 

V/=i "-(PJ ( x ( x o; *)) > 0) , i.e. - ( A/=i Pi (x(xo; *)) > 0) . 
This means xo G Outf (B). 

□ 

Now we are ready to prove Theorem [20] as follows. 
Proof of Theorem \ZU\ "D" Trivial. 



"C" If xo i ULi D/=i Inf (<S( PlJ t>0)), then for all i G [1, /], 
xo £ H/=i In f (5(pij > 0)). By Lemma [221 for all i G [1, 7], 
xo G Outf(B), where B = /\ J =1 Pij > 0. Thus there exist 
positive ei, e2, . . . , e/ s.t. for all i G [1, 7] and any t G (0, ei), 
->( A/=iP«( x ( x o;*))>0). Let e = min{ei, e 2 , . . . , e/}. Then 
for all f G (0,e), ALi ""■( A/=i Pa ( x ( x o; *)) >0), or equiv- 
alently, -i( \/f =1 A/=i Pa ( x (x ; i)) > 0) . This means x G 
Outf (B) and x $ In f (B). □ 

Based on Theorem 1201 in order to show L*if(B) is a semi- 
algebraic set for any semi-algebraic set H, it is sufficient 
to show that Inf (S(p > 0)) is a semi-algebraic set for any 
polynomial p, where > G {>,>}• 

In fact, we have proved in Lemma [21] the following result. 

Lemma 23. For any polynomial p and polynomial vector- 
field f , 

In f (5(p>0)) = r+(p,f) and 

in f (5(p>o)) = r (p,f)ur + (p,f) , 

where 

r (p, f) = {x G R" I 7„,r (xo) = oo} and (12) 

r+(p,f) = {x G R" | 7 P,f(xo) < A L^ f(xo) p(xo) > 0}. 

(13) 

Next, we show To and r+ are semi-algebraic sets. We will do 
so in a more general way for parametric polynomials p(u, x). 
In their proofs, we need the fundamental results about Lie 
derivatives shown in Section 2] In the sequel we adopt the 
convention that Aig0 4>i = true, where fa is a polynomial 
formula. 

Lemma 24. Given p = p(u, x) and polynomial vector field 
f , for any uo G R' we have 

Fo(Pu ,f) = <S(v? (P,f) |u=u ) , 

where 

<p (p,f) = f\ 4p = . (14) 

i=0 

Proof. "C" This is trivial by definition of pointwise rank 
in Section [2] 

"D" If xo G S(ipo(p, f) |u=u ), then by definition of point- 
wise rank we have 7p UQ ,f(xo) > N p j. By the similarity 
of Theorem [14] with parameters in polynomial p, we get 
7 Puo ,f(xo) = oo. Thus xo G T {p uo ,f). □ 

Lemma 25. Given p = p(u, x) and polynomial vector field 
f, for any uo G R we have 

r+(pu ,f) =s(ip+(p,f) | u=Uo ) , 

where 

n p,i 

i>+(p,f)= V ^ (l) (p,f) with (15) 

i=0 



V w b,f) = ( A iJ fP = °) alJp>o 



j=0 



Proof. 'O"Ifx £5(^ + (p,f) |u=u ), then by definition 
of pointwise rank, we have 

(7 Puo ,f(xo) < N p ,i < oo) A Lf Pu °' f<Xo) p uo (xo) > 0. 

Thus x G r+(p U0 ,f) • 

"C" If xo G r+(p UQ ,f), then by definition of pointwise rank 
we know xo satisfies 

Lh» =0A-AL f 7 '"°'" , ° M p 11 „ =0AL e P »° MXO> p uo >0 . 

By the similarity of Theorem [T3] with parameters in poly- 
nomial p, we have 7 Puo ,f(xo) < N p> f. Thus uo,xo satisfy 
f ,p "o - f (p, f ) . This means x G S (tp+ (p, f ) | u=uo ) . □ 

Based on Lemma [23l 1241 and 1251 we have 

Theorem 26. For any polynomial p and vector field f , 

In f («S(p>O))=«S(-0+(p,f)), and 
In f (5( P > 0)) = 5(V+(p,f) V<po(p,f)) 

where <po(p, f) (wid ip+(p, f) fflre defined in [1$ and 115\) re- 
spectively. 



Therefore, Inf(ff) can be translated into a polynomial for- 
mula. By a similar argument, we are able to prove that 



Theorem 27. For a semi-algebraic set H defined by for- 
mula 1 11\) and a polynomial vector field f , we have 

i Ji 

lvlm(H) = |J Ivlnr (5(pij >0)). 
»=ij=i 



Accordingly, 

Theorem 28. For any polynomial p and vector field f , 
Ivln f (S(p > 0)) = S(v2+(p,f)), and 
Ivln r (5(p > 0)) = S(V+(P, f) V ^(p, f)) 



where 



Vp,f 



V»+(p,f)= V ^ W (P' f ) ( 16 ) 
^ (l) (p, f) = ( /\ Ljp = 0) A ((-I) 1 ■ L^p > 0) . 



Theorem 29 (Main Result). A semi- algebraic set 
S(P) with 

K / 3k Jk \ 

P=V AP'K- X )^° a A Pfc J K J ,x)>0 
fe=i \j=i i=ifc+i / 

is a continuous invariant of the PDS (S(H),f, S) wntft 

a/ / lm L m 
H=\J l/\pmi(x)>0 A A Pmi(x)>0 

m = l \i=l ! = i,„ + l 

if and only i/u={ufej) satisfy 

vx. f ( 3 ( x )^ p K x )) A 



(P AH A(pn -Kpp) A (-^P AH A -> -.pp ^ 1 ' 



where 



M /lm L m 

V ( A V'O.+ O'roljf) A A V>+(Pm!,f) 
m=l \i = l ! = i m + l 

^ / J* Jfe \ 

^=V A^+ma A ^+ (*>**.*), 

¥>H = V/ ( A ^°.+ (Pm!' f ) A A V+(PmI,f) 

!=!m+l 



m=l V = l 



vp= V A vo,+(pfcj,f) a A v+(pfcj) f ) . 

fc=i \j=i i=jfc+i / 

witfi ^0,+ (p, f ) = -0+ (p, f) VVo (p, f ) airf ¥>o,+ (p, f ) = <£+ (p, f ) V 
Vo(p,f)- 



Proof. This theorem is a direct consequence of Theorem 
[191 [201 [261 [27] and [28] □ 



3=0 



Note that ipH and (pjj are trivially "true" when H is the 
whole space R". 

Compared to related work, e.g |17l 1191 [20l 124] , our method 
for SAI generation based on Theorem [29] has the following 
two features: 



1. Given a PDS (with arbitrary semi-algebraic domain 
and initial states), we consider arbitrary semi-algebraic 
sets as invariants, which are of complicated forms and 
may be neither open nor closed. 

2. Our criterion for checking semi- algebraic invariants for 
PDS is sound and complete; our method for automati- 
cally generating semi-algebraic invariants is sound, and 
complete w.r.t to the predefined template. 



Now we demonstrate how our approach can be used to gen- 
erate a general SAI by the following example. 



Now we are able to present our main result of automatic Example 30. Letf(x,y) — (x — —2y,y = x 2 ) with H = E 2 

SAI generation for PDS. and E=x + y > 0. Take a template: r=x — a > OVy — b > 0. 



By Theorem 1 291 r is an SAI of (H,f,3) iff (a,b) satisfies 
the following two formulas 

x + y>0^(x-a>OWy-b>0) (17) 
(r -)■ C) A (nr -+ -n£) (18) 

/or <z/Z (i,y) £ K 2 , where 

C=(x -a>0)V(x-a = 0A -2j/ > 0) 

V (x - a = A -2j/ = A -2x 2 > 0) 

V (y - 6 > 0) V (y - b = A x 2 > 0) 
V(y-6 = 0Aa: 2 = 0A -4yx > 0) 

V(y-6 = 0Aa; 2 = 0A -4yx = A 8y 2 - 4x 3 > 0) 
-a>0)V(x-a = 0A -2j/ < 0) 

V (x - a = A -2y = A -2x 2 > 0) 

V (y - b > 0) V (y - b = A x 2 < 0) 
V(y-6 = 0Aa- 2 = 0A -%n > 0) 

V(y-6 = 0Az 2 = 0A -4yx = A 8y 2 — 4x 3 < 0) 

By applying quantifier elimination to this formula, we get 
a + b<0Ab<0. Let a = —1 and b — —0.5, and it results 
that {(x,y) £ R 2 | x > -1 My > -0.5} is an SAI for this 
PDS, which is shown in IV of Figure [H 

Note that in the above example, the generated SAI is a 
general semi-algebraic set that is a union of two simple semi- 
algebraic sets, which is neither closed nor open. 

7. CASE STUDY 

In this section, we show that our method presented above 
can be used to generate continuous invariants for some real 
systems. 

7.1 Formal Verification of CTCS-3 

In [15] , the authors use HCSP [111 [33] to formally model the 
Chinese Train Control System at Level 3 (CTCS-3) [32] . 
They also propose a calculus of HCSP for the purpose of 
verifying safety properties of CTCS-3. For this calculus to 
work, effective techniques for dealing with continuous dy- 
namics must be incorporated. 

Consider the following fragment of the HCSP model of CTCS- 
3: 

Pebi = (s = v, v = a) — >• v > v.Seg ; flag EB := true ; Feb ■ 

Process P e u models the running of a train, with s,v,a rep- 
resenting its position, velocity and acceleration (a is a con- 
stant) respectively. Once v exceeds the speed limit v.Seg of 
the current segment, flag EB for emergency brake is set to 
true and the train starts braking immediately, expressed by 
the subprocess Peb- 

The safety property needs to be verified about Pm can be 
stated as 

Inv = v > v.Seg — > flag EB — true , 

which means whenever the train's speed exceeds certain 
limit, it must execute the emergency brake process. 



To verify this property, i.e. to check that Inv is indeed 
an invariant of P e u, according to the calculus in [15], it 
amounts to check that v < v.Seg is a continuous invariant 
of the PDS (H,f, H), where H = S(v < v.Seg), f=(v,a) and 
3 = {(so,«o)} with wo < v.Seg. According to our method, 
this can be further reduced to the checking of the validity of 

Vv.(v — v.Seg Av< v.Seg — > a < 0), 

which is obvious. 

Perhaps this example seems a bit trivial, for the continuous 
dynamics is an affine system and the required invariant co- 
incides with the domain. What we want to stress here is the 
completeness of our criterion for checking continuous invari- 
ants compared to others. For example, the principle given 
in [17] requires the directional derivative of an invariant in 
the direction of the vector field to have the same sign in 
the domain. As a result, it may fail to generate the above 
invariant S(v < v.Seg), because 

Mv.(v < v.Seg — > v = a < 0) 

is false when a > 0. 

7.2 Collision Avoidance Maneuvers 

We consider the following two-aircraft flight dynamics from 

f ^ cci=di yi = ei d\ — -ujd 2 e\ = -6e 2 
xi — d-2 y2 ~ e2 d2 = udi e2 = 9ei 

System (|19[) has 8 variables: (xi,x 2 ) and (3/1,2/2) represent 
the positions of aircraft 1 and 2 respectively, and (di, (fe) and 
(e.\,e2) represent their velocities. The parameters ui and 9 
denote the angular speed of the two aircrafts. 

We shall apply our method to generating special invariants 
of form p = for PDS (H, f , S) with H = R 8 and f de- 
fined in (|19|) . For simplicity, we take S to be a singleton 
{(xlxUKylylele *)}- 

In order to determine candidates for invariants of (H, f, E), 
we enumerate parametric polynomials p = p(u, x) by the de- 
gree of p and the number of variables appearing in it. For 
example, we can choose the linear template p(u, x) = u\X\ + 
U2X2 + uzd\ + U^d2 + uo- 

According to Theorem l29l it is easy to check that p(u, x) = 
is an invariant of (H, f , H) if and only if u satisfies 

• Vx. E — » p = ; and 

. Vx. P = 0^ At p i f ^Mu,x) = o. 

For the template defined above, we can get N Pt t = 2. By 
applying quantifier elimination to the corresponding con- 
straint, we get U2 — U3LJ = A ui + U4U1 = A uq + uixl + 
U2X2 + U3di + U4d l 2 = . Thus we can obtain the following 
invariants by assigning suitable values to u;s: 

• UJX2 + di — 0JX2 — d? = 0; 

• — ujxi + d 2 + ujXi — d { 2 = 0; 



• — UJXl + LOX2 + d\ + d,2 + UJX ( l — U}X l 2 — di —£$2 = 0. 

If we use the quadratic template p = uidf + U2d\ + uo, we 
can also get N p j = 2, and the constraint for u is iti — U2 = 
A uo + ui(di) 2 + U2(d,2) 2 = . Let ui = 112 = 1 and we 
obtain an invariant 

dl + d 2 2 - (d?) 2 - (d° 2 ) 2 = . 

Using arbitrary semi-algebraic templates, we can generate 
invariants beyond polynomial equations for (H, f , E), at the 
cost of heavier computation. 

8. CONCLUSIONS 

In this paper, we present a sound and complete criterion 
for checking SAIs for PDSs, as well as a relatively complete 
method for automatic SAI generation using templates. Our 
approach is based on the computable algebraic-geometry 
theory. Our work in this paper actually completes the gap 
left open in [27]. Compared with the related work, more 
invariants can be generated through our approach. This is 
demonstrated by simple examples and case studies. 

In the future, we will concentrate on the following prob- 
lems. Firstly, we believe that our method can be applied 
to generate invariance sets for stability analysis, controller 
synthesis and so on in control theory, in particular for con- 
struction of Lyapunov functions. Secondly, we will consider 
how to extend the approach to more general dynamical sys- 
tems whose vector fields are functions beyond polynomials. 
Since our approach makes use of first-order quantifier elim- 
ination which is with doubly exponential cost [7], how to 
improve the efficiency of our approach will be our main fu- 
ture work. For instance of linear templates, it is helpful to 
reduce the complexity via linear programming. 
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